From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8E896C27C4F for ; Sat, 15 Jun 2024 20:45:06 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 71D966B00FB; Sat, 15 Jun 2024 16:45:05 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 6CD986B00FC; Sat, 15 Jun 2024 16:45:05 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 594E56B00FD; Sat, 15 Jun 2024 16:45:05 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id 3B2D46B00FB for ; Sat, 15 Jun 2024 16:45:05 -0400 (EDT) Received: from smtpin04.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id AC68E1C1ADA for ; Sat, 15 Jun 2024 20:45:04 +0000 (UTC) X-FDA: 82234302528.04.6844D57 Received: from casper.infradead.org (casper.infradead.org [90.155.50.34]) by imf15.hostedemail.com (Postfix) with ESMTP id 33A09A0003 for ; Sat, 15 Jun 2024 20:45:00 +0000 (UTC) Authentication-Results: imf15.hostedemail.com; dkim=pass header.d=infradead.org header.s=casper.20170209 header.b="U/HIHWAW"; dmarc=none; spf=none (imf15.hostedemail.com: domain of willy@infradead.org has no SPF policy when checking 90.155.50.34) smtp.mailfrom=willy@infradead.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1718484300; a=rsa-sha256; cv=none; b=pq8R6ItWNVw0AtpvHTLMfYTpzxSrnsQdlm/Al8hwZAhqxaC/GcTiPHDcr02pcwYshcwM9W DPIslpXxsXMIukq9sbsVvJ4nhIgfB+FVqs7DuGuATd2USlIzbqidqvYBGde9Wu1kYmT8pI EEXtvWrbUgkeS5eM/k1qPaXwl3gInDI= ARC-Authentication-Results: i=1; imf15.hostedemail.com; dkim=pass header.d=infradead.org header.s=casper.20170209 header.b="U/HIHWAW"; dmarc=none; spf=none (imf15.hostedemail.com: domain of willy@infradead.org has no SPF policy when checking 90.155.50.34) smtp.mailfrom=willy@infradead.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1718484299; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=WaPuINruPrEbczAsN4nNbVt86EXEyxm4Imad5SheDtA=; b=B05q0W6IGI21NAOwWNJLF274IwzHLoeJExqRCKVQ3I2PkI/LuJv2i9dtqvd0rzw/X/pE+b C5M3B5td+P+CJAwjbUaQhImb2dR2O4p452nHAn+4chquproAlC6E2T7cun1sBGblQ/pywx tVRjxNZbY4NZVLvZRYH0i49CAbYXFWw= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=WaPuINruPrEbczAsN4nNbVt86EXEyxm4Imad5SheDtA=; b=U/HIHWAWyhIiTs2klJKtzK3mcU Vx8EvFuExFMnFf7f4N5hLI0y3aIjVEK8U8aDBzzhkRL3SvYTCBaAx0/NiOWzk5jOGjKLPIv133Y0B mwOrFyCUc0KL006bY7/gVHwDSjkD9yuSs5b4f6aUOOeNXwiE89QqUaNlethzFilH3thV6Ll6vDcQe pSLCEwEHUdIDa3dVsBxZ9bOC5nDHkhHvQeCuwyEQ/8bwvWRxcZizRC8/So9KImywubLBQP6jyDWDj KbDiUXJiEBcAkhJX99Ptich0GeGk85jNJIDlKgZZWuwkXwhkC8hn97MEV4mMEhMiFuSX2fraCUW1h /lGV/dzg==; Received: from willy by casper.infradead.org with local (Exim 4.97.1 #2 (Red Hat Linux)) id 1sIaGc-00000000Yfr-28Gl; Sat, 15 Jun 2024 20:44:54 +0000 Date: Sat, 15 Jun 2024 21:44:54 +0100 From: Matthew Wilcox To: Hillf Danton Cc: linux-mm@kvack.org, Jan Kara , linux-kernel@vger.kernel.org, syzbot+d79afb004be235636ee8@syzkaller.appspotmail.com, linux-fsdevel@vger.kernel.org, linux-nilfs@vger.kernel.org, Ryusuke Konishi Subject: Re: [RFC PATCH] mm: truncate: flush lru cache for evicted inode Message-ID: References: <20240614235953.809-1-hdanton@sina.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20240614235953.809-1-hdanton@sina.com> X-Rspamd-Server: rspam12 X-Rspamd-Queue-Id: 33A09A0003 X-Stat-Signature: bhncyui9uzygtwyc1f4zxnr4mmwoirdn X-Rspam-User: X-HE-Tag: 1718484300-613314 X-HE-Meta: U2FsdGVkX19867waVfvmo7SyI+OFNy+0zDQEuB85OfTmLju3mXuV4HCWL32w/AwN1ajw5mltURZxz2MNdHEjePajm1kNzemiN5BbXt45BXF+W+hjYWNbPWo766O7gvkGwm3Ief+VYFZWJBBbNu6ucPAOz8cA6mCwRhXk0xcOPs6N/TK+35Src0jvRbHwl5pellRoeTDgH1GTzcP4QCFOoEtdBsLStoC+Sa595/r86EuRgQrZQHTbGHWFd/5nC8SzgTFS9qDQqFQj6DGhuBKWISsO6dL2rLv/7WYtCXLTArTVGHj9tws/1R0t5QF6F7PCPZ/KyT7xGhDIROCkfu1xAbtZu5cTUqcxyJpuQxQy7mrewartXPRHkDy4VCWc2WegSoFm/k7rlw+a0bl05OmBr9Vw6b+ezdWMQjV4OosmblIz30U+HbsKWJQYqvhaGx4XP5kmJrjyvbk2+ojR5MpxtUXIQfF7or7mwpcniUHhbPOMVirj8HUQI0hC1RJ0cCMqjP5xOaGlRoQYTsmBOJOJN9y7Qp1S5KzrhYBMgAro2C95akJv2qEWA4WgnXYxx7qF9y0q1jSbmJxVWCDZMoBxdLuSBwWKBJPc7W1As2csHmPEnRG/oE4VRJMEQd9P+i+2qX7qxDzmhwPmP5dubH02F9fACkoI8+3JVNATuQsCml+A3ZzMiO4hkrqa/APKMvlIMN63Wl9C4t6XlBgoG71YK1KuV0xtbV87Z/0Lkxv2Ylii0r5MQjuRSEqQRqODzVt0loKkt542UftiwNgyffQRQP6RhqKYn24RvvpynICXMBwwT83Npj2CHt65Xc1BiUPHfXmg0jLZdVWwRYAGMj7RB6lOEkDTJ0is+cMJgvlAVpEeYHype7qOfdCadIKvJk2xlVpCR40Nt8ROK+6DzT0o66hEnuh8cWqV9/hEzHTpPoqTpPsz5k9EyxbC4OT7LyNUcND2vRGPl3bm2kryTxj XW0iHgcw xNn909jwIjO2N0V8AONwISy05UT4ZAvty8GeWVavajfc5ehpfLl5G+raRSDi9NSPh0f1p0w/fZt5wwnj9bU0u3jrPX56MbSNxuaYDKMb6rzuh055k6AZLDmB1xlto8VIh+iW0kljvNFUWahEqWj/ojJECoEHNSbuowgCo5HeEWN1e+WBxkQb8omzhPZITpuWI8wSaj9FKp0gPTFj0/0Zi5Uv3DbWGvzIhIcIs09LF7ljrYoisFpwpkLtfgDmRTSoI2Bp12kkTULC6TxRNjJWk6UvQjbOSBQeDCPFGDbDjzrq2kp1meUvCxzzeETJUzhGqwZoamoPhN6Khjw1tS1v+npz/92LQ4fVq41wqXxYnDGLsVF4aCqmd8UEUSJZKRhLF/Jgb X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Sat, Jun 15, 2024 at 07:59:53AM +0800, Hillf Danton wrote: > On Fri, 14 Jun 2024 14:42:20 +0100 Matthew Wilcox wrote: > > On Fri, Jun 14, 2024 at 09:18:56PM +0800, Hillf Danton wrote: > > > Flush lru cache to avoid folio->mapping uaf in case of inode teardown. > > > > What? inodes are supposed to have all their folios removed before > > being freed. Part of removing a folio sets the folio->mapping to NULL. > > Where is the report? > > > Subject: Re: [syzbot] [nilfs?] [mm?] KASAN: slab-use-after-free Read in lru_add_fn > https://lore.kernel.org/lkml/000000000000cae276061aa12d5e@google.com/ Thanks. This fix is wrong. Of course syzbot says it fixes the problem, but you're just avoiding putting the folios into the situation where we have debug that would detect the problem. I suspect this would trigger: +++ b/fs/inode.c @@ -282,6 +282,7 @@ static struct inode *alloc_inode(struct super_block *sb) void __destroy_inode(struct inode *inode) { BUG_ON(inode_has_buffers(inode)); + BUG_ON(inode->i_data.nrpages); inode_detach_wb(inode); security_inode_free(inode); fsnotify_inode_delete(inode); and what a real fix would look like would be calling clear_inode() before calling iput() in nilfs_put_root(). But I'm not an expert in this layer of the VFS, so I might well be wrong.